trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sor...@apache.org
Subject git commit: TS-2569: set the default SSL options correctly
Date Sat, 08 Mar 2014 00:30:51 GMT
Repository: trafficserver
Updated Branches:
  refs/heads/4.2.x 37b33476e -> b262f4b34


TS-2569: set the default SSL options correctly

We discovered that the proxy.config.ssl.server.honor_cipher_order=1
setting was not working correctly. After investigating it was
determined that if you do not have a dest_ip=* in the ssl_multicert.config
file then the server cipher order setting will not be honored.  The
proposed fix (which works) is to initialize the default context with
the necessary SSL options.

(cherry picked from commit 963982e432a6fa5ef0f1968904c75571a3f6befb)

Conflicts:
	CHANGES
	iocore/net/SSLUtils.cc


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/b262f4b3
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/b262f4b3
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/b262f4b3

Branch: refs/heads/4.2.x
Commit: b262f4b34def13bf16db32810da8766d83a59451
Parents: 37b3347
Author: Ron Barber <rbarber@yahoo-inc.com>
Authored: Thu Feb 27 14:37:42 2014 -0800
Committer: Phil Sorber <sorber@apache.org>
Committed: Fri Mar 7 17:30:05 2014 -0700

----------------------------------------------------------------------
 CHANGES                |   3 ++
 iocore/net/SSLUtils.cc | 110 +++++++++++++++++++++++++-------------------
 2 files changed, 66 insertions(+), 47 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b262f4b3/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 91ced1f..2aafea7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 4.2.0
 
+  *) [TS-2569] Set the default SSL options correctly.
+   Author: Ron Barber <rbarber@yahoo-inc.com>
+
   *) [TS-2620] Make the stats_over_http plugin publish node and plugin stats.
 
   *) [TS-2607] Fix TS_USE_HWLOC #define in build process

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b262f4b3/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 4b1b646..88ffcfb 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -445,54 +445,56 @@ SSLInitServerContext(
 #endif
   SSL_CTX_set_quiet_shutdown(ctx, 1);
 
-  // XXX OpenSSL recommends that we should use SSL_CTX_use_certificate_chain_file() here.
That API
-  // also loads only the first certificate, but it allows the intermediate CA certificate
chain to
-  // be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL 0.9.3.
-  completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
-  if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
-    SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
-    goto fail;
-  }
-
-  // First, load any CA chains from the global chain file.
-  if (params->serverCertChainFilename) {
-    xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly,
params->serverCertChainFilename));
-    if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
-      SSLError("failed to load global certificate chain from %s", (const char *)completeServerCertChainPath);
+  // if serverCertPtr == NULL, then we are initing the default context so skip server cert
init
+  if (serverCertPtr) {
+    // XXX OpenSSL recommends that we should use SSL_CTX_use_certificate_chain_file() here.
That API
+    // also loads only the first certificate, but it allows the intermediate CA certificate
chain to
+    // be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL 0.9.3.
+    completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
+    if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
+      SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
       goto fail;
     }
-  }
 
-  // Now, load any additional certificate chains specified in this entry.
-  if (serverCaCertPtr) {
-    xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly,
serverCaCertPtr));
-    if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
-      SSLError("failed to load certificate chain from %s", (const char *)completeServerCertChainPath);
-      goto fail;
+    // First, load any CA chains from the global chain file.
+    if (params->serverCertChainFilename) {
+      xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly,
params->serverCertChainFilename));
+      if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+        SSLError("failed to load global certificate chain from %s", (const char *)completeServerCertChainPath);
+        goto fail;
+      }
     }
-  }
 
-  if (serverKeyPtr == NULL) {
-    // assume private key is contained in cert obtained from multicert file.
-    if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
-      SSLError("failed to load server private key from %s", (const char *)completeServerCertPath);
-      goto fail;
+    // Now, load any additional certificate chains specified in this entry.
+    if (serverCaCertPtr) {
+      xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly,
serverCaCertPtr));
+      if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+        SSLError("failed to load certificate chain from %s", (const char *)completeServerCertChainPath);
+        goto fail;
+      }
     }
-  } else if (params->serverKeyPathOnly != NULL) {
-    xptr<char> completeServerKeyPath(Layout::get()->relative_to(params->serverKeyPathOnly,
serverKeyPtr));
-    if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerKeyPath, SSL_FILETYPE_PEM)) {
-      SSLError("failed to load server private key from %s", (const char *)completeServerKeyPath);
-      goto fail;
+
+    if (serverKeyPtr == NULL) {
+      // assume private key is contained in cert obtained from multicert file.
+      if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
+        SSLError("failed to load server private key from %s", (const char *)completeServerCertPath);
+        goto fail;
+      }
+    } else if (params->serverKeyPathOnly != NULL) {
+      xptr<char> completeServerKeyPath(Layout::get()->relative_to(params->serverKeyPathOnly,
serverKeyPtr));
+      if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerKeyPath, SSL_FILETYPE_PEM)) {
+        SSLError("failed to load server private key from %s", (const char *)completeServerKeyPath);
+        goto fail;
+      }
+    } else {
+      SSLError("empty SSL private key path in records.config");
     }
-  } else {
-    SSLError("empty SSL private key path in records.config");
-  }
 
-  if (!SSL_CTX_check_private_key(ctx)) {
-    SSLError("server private key does not match the certificate public key");
-    goto fail;
+    if (!SSL_CTX_check_private_key(ctx)) {
+      SSLError("server private key does not match the certificate public key");
+      goto fail;
+    }
   }
-
   if (params->clientCertLevel != 0) {
 
     if (params->serverCACertFilename != NULL && params->serverCACertPath !=
NULL) {
@@ -626,10 +628,14 @@ asn1_strdup(ASN1_STRING * s)
 static void
 ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfile)
 {
-  X509_NAME * subject = NULL;
+  X509_NAME *   subject = NULL;
+  X509 *        cert;
+  ats_file_bio  bio(certfile, "r");
 
-  ats_file_bio bio(certfile, "r");
-  X509* cert = PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL);
+  cert = PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL);
+  if (NULL == cert) {
+    return;
+  }
 
   // Insert a key for the subject CN.
   subject = X509_get_subject_name(cert);
@@ -645,14 +651,14 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char
* certfi
       ASN1_STRING * cn = X509_NAME_ENTRY_get_data(e);
       xptr<char> name(asn1_strdup(cn));
 
-      Debug("ssl", "mapping '%s' to certificate %s", (const char *)name, certfile);
+      Debug("ssl", "mapping '%s' to certificate %s", (const char *) name, certfile);
       lookup->insert(ctx, name);
     }
   }
 
 #if HAVE_OPENSSL_TS_H
   // Traverse the subjectAltNames (if any) and insert additional keys for the SSL context.
-  GENERAL_NAMES * names = (GENERAL_NAMES *)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL,
NULL);
+  GENERAL_NAMES * names = (GENERAL_NAMES *) X509_get_ext_d2i(cert, NID_subject_alt_name,
NULL, NULL);
   if (names) {
     unsigned count = sk_GENERAL_NAME_num(names);
     for (unsigned i = 0; i < count; ++i) {
@@ -661,7 +667,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char
* certfi
       name = sk_GENERAL_NAME_value(names, i);
       if (name->type == GEN_DNS) {
         xptr<char> dns(asn1_strdup(name->d.dNSName));
-        Debug("ssl", "mapping '%s' to certificate %s", (const char *)dns, certfile);
+        Debug("ssl", "mapping '%s' to certificate %s", (const char *) dns, certfile);
         lookup->insert(ctx, dns);
       }
     }
@@ -895,8 +901,18 @@ SSLParseCertificateConfiguration(
   // bootstrap the SSL handshake so that we can subsequently do the SNI lookup to switch
to the real
   // context.
   if (lookup->ssl_default == NULL) {
-    lookup->ssl_default = ssl_context_enable_sni(SSLDefaultServerContext(), lookup);
-    lookup->insert(lookup->ssl_default, "*");
+    xptr<char> addr;
+    xptr<char> cert;
+    xptr<char> ca;
+    xptr<char> key;
+    int session_ticket_enabled = -1;
+    xptr<char> ticket_key_filename;
+
+    addr = ats_strdup("*");
+    if (!ssl_store_ssl_context(params, lookup, addr, cert, ca, key, session_ticket_enabled,
ticket_key_filename)) {
+      Error("failed to store default ctx ");
+      return false;
+    }
   }
 
   return true;


Mime
View raw message